Horn’s report card shows agencies flunking IT security

By GCN Staff

Nov 19, 2002

The government today received an overall failing grade for systems security the second consecutive year as Rep. Steve Horn issued his latest annual report card.

There were few improvements in this year’s card. The government’s overall score was 55, up from 53 a year ago, and only 14 of 24 executive branch agencies received an F, compared with 16 agencies last year. But last year’s standout agency, the National Science Foundation, dropped from a B+ to a D-.

This year’s top performer was the Social Security Administration, which climbed from a C+ to a B-. In the cellar this year is the Transportation Department, which scored what Horn called “an appalling 28 points out of a possible 100.”

The California Republican issued the grades during a hearing of his House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations. The scores are based on weighted evaluations of each agency’s performance in five major areas. The information is drawn from studies by the General Accounting Office, the Office of Management and Budget, and agencies’ CIOs and inspectors general.

Key to implementing adequate information security is an agency’s CIO, several witnesses said at today’s hearing.

“Where we have seen progress, there has been clear action taken to empower the CIO,” said Mark Forman, OMB associate director for IT and e-government. “Transportation is one where there is a less-than-powerful CIO.”

In fact, said Transportation IG Kenneth M. Mead, “Transportation does not have a CIO.” The department has had a permanent CIO for only 18 months since the office was mandated in 1996, Mead said.

Social Security officials attributed the agency’s success to a culture of security, which has been implemented from the top down. From its inception, SSA has been concerned about the privacy of the information it maintains, said SSA deputy commissioner and chief operating officer James B. Lockhart III. “That has infused our culture from Day 1.”

Forman identified three continuing weakness that make federal systems vulnerable:

A lack of system-level security plans and certifications

A lack of agreement on the part of many IGs and CIOs as to what their agencies’ weaknesses are

A lack of prioritization in IT investments.

Officials credited the Government Information Security Reform Act for much of the improvement seen in this year’s assessment, and witnesses were uniform in their recommendation that it be extended. The law is set to expire Nov. 29. Congress has included provisions making its requirements permanent in the Homeland Security bill now before the Senate.

Under GISRA, OMB requires agencies to include IT security in their annual budget proposals or risk losing funding.

“There were a number of proposals last year we put on the high-risk list” because of IT security problems identified in GISRA reports, Forman said.

OMB also issues an annual report to Congress on the state of IT security. The next report is due in February. Forman said there would likely be some discrepancies between his report and the report card. For instance, he said his staff had found that the Justice Department, which received a failing score of 56 on the report card, had made more progress than the report card indicated.